Coffee Addicts

Link: https://www.vulnhub.com/entry/coffee-addicts-1,699/

Enum

IP: 192.168.1.159

Note: Add coffeeaddicts.thm to /etc/hosts

Nmap

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Port 80

Gobuster (dir)

ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://coffeeaddicts.thm/FUZZ -ic
wordpress               [Status: 301, Size: 326, Words: 20, Lines: 10]
                        [Status: 200, Size: 735, Words: 95, Lines: 32]

WordPress

http://coffeeaddicts.thm/wordpress/

Wpscan reveals a username ‘gus’

Checking the comments of the second post shows us a hint

*Hint: password is in the image above…

Now we can login to the admin panel, checking out the app quickly.

I see we can edit the plugin files.

You can check Akismet plugin and edit the php for a reverse shell, either a php rev shell or basic webshell will do.

Then call the URL for the akismet.php file to activate your reverse shell.

http://coffeeaddicts.thm/wordpress/wp-content/plugins/akismet/akismet.php?c=id

User

After getting a reverse shell and checking out the files in Gus's home directory we see a readme.txt and the flag

readme.txt

hello, admin.
as you can see your site has been hacked, any attempt of fixing it is futile, as we removed you from the sudoers and we changed the root password.
~Nicolas Fritzges

Flag

THM{s4v3_y0uR_Cr3d5_b0i}

In the other users home folder we can find a .ssh file, its password protected. Using ssh2john we can crack the password

python3 ssh2john.py id_rsa > hash

Root

Now we can ssh into the box as badbyte, running sudo -l shows

The path to root is clear now and to the last flag!

sudo /opt/BadByte/shell

flag

THM{im_the_shell_master}